[Owasp-board] Promotion of OWASP by Non-"non-profits"
jim.manico at owasp.org
Thu Feb 20 06:48:09 UTC 2014
I still support Sonotype sponsoring the podcast. And I still support Mark
doing the podcast.
The Trusted Software Alliance has the appearance of a non profit, but it's
This is a special case since it's a direct marketing vehicle for OWAsP
giving Mark a de-facto spokesman role. When doing official spokesperson
duties for OWASP there needs to be a higher standard compared to say a
incubator project. Hence our social media guidelines. Our social media
guidelines are fairly clear about non-promotion and non-commercialism.
And Dennis, it will only benefit Mark *more* if the podcast was more
OWASP-centric and a stronger non-commercial stance was taken.
So I'm asking that this OWASP podcast be posted primarily on OWASP media
since it's an OWASP podcast, not a "Trusted Security Alliance" podcast. We
should also end with OWASP's mission and a call to volunteer or donate to
the foundation. Any sponsorship needs to avoid commercial "call to action".
I'm ok with "Thank you to Sonotype for sponsorship..." but I'm not ok with
"Sonotype is a trusted Partner...".
If there was no value in doing this at OWASP then Mark would have never
approached me to take over the show.
When I agreed to this, I had no idea Mark's company (which has a non-profit
appearance) was a for profit company.
So I agree rock on with incubator projects and be flexible there. But folks
driving our media and official communication channels need to be held to a
higher standard per our social media guidelines. It explicitly forbids
On Feb 20, 2014, at 6:41 AM, Dennis Groves <dennis.groves at owasp.org> wrote:
I agree with the **intent** of what you are saying Gentlemen, as well as
your motives. However, it causes me to have some questions:
1) We are an *information security community*
- so if we are to be vendor neutral it is not 'all vendors' that are of
concern it is the 'security vendors'
- this is precisely because they have influence in OWASP that other
security vendors do not
The solution to the problem you propose is one that is best managed by
setting the rules and guidelines for security vendors involved in OWASP not
the 'non-security' vendors! This is risk management, and addressing the
lowest risk vendors while ignoring the highest risk vendors is simply not
Second, what is the definition of Security Vendor? Please forgive me
Gentlemen - this is an example - not an accusation nor indication that you
personally are doing 'wrong things' rather, it is simply a convenient
example that is personal to the both of you:
I would submit that we should call Michael's new role is a 'Security
Vendor" and Jim's new role is not a "non-security-vendor' because although
Jim is in the security industry - he is doing security education - not
product promotion. Where as Michaels new position is one where his
companies assets and goals involve the promotion of their product (eg the
financially benefit directly from promotion, where as Jim benefits
indirectly). If I were to have concern about brand damage to OWASP I would
want to define the rules for the 'Michaels' in the organisation and keep my
eyes on the Jim and Marks, and set about creating rules only after abuses
Thirdly, from a human behaviour perspective I agree with Dinis Cruz, we
should reward the behaviour we like, and not penalise those contributing
not precisely as we find ideal. Policing is a kind of coercion and
violence. Thus we must reserve policing as a very last resort.
Thus, I conclude we should not have a problem with the "Mark Podcast" he is
creating incredible value for OWASP and OWASP is benefiting from his
contributions enormously just as it has from Jim's contributions. Jim does
Jim things, Mark does Mark things. Mark gives credit where credit is due to
the company who donates their time, money and resources to produce the
Jim is on the board and aggressively promotes OWASP as a board member
ideally should. Jim in an example we can all aspire toward; but not all of
us are ready or financially secure enough to "have Jim's ethics". Simple
Additionally, if we want to really tackle this issue we must really get
serious about the elephant in the room, and this is that we are all
vendors; and not all vendors have equal access or influence in OWASP and
that is not OPEN.
On Thu, Feb 20, 2014 at 3:04 AM, Jim Manico <jim.manico at owasp.org> wrote:
> +1 Although I am very sad to see the podcast go from what I felt was
> non-commercial to commercial, I do want to acknowledge Marks efforts.
> My suggestions:
> I'd like to see "trusted software alliance" removed from the equation.
> Sonotype is sponsoring this because of OWASP, not because of the TSA which
> is a for-profit company owned by Mark.
> 1) Post podcast updates to the wiki or OWASP blog
> 2) End the podcast with our mission statement and a call for volunteerism
> and donations
> 3) Tweet via the official OWASP Podcast Twitter Account
> 4) Keep the Sonotype ad to a minimum, and avoid any "call to action"
> around Sonotype. Right now it says "Sonotype is a trusted partner" with
> strange implications about it's association with OWASP.
> 5) Have Sonotype pay OWASP for podcast sponsorship and then we pay Mark as
> a contractor. Cleaner, especially since this is an official OWASP
> communication/marketing vehicle.
> I feel 1-4 is critical.
> Jim Manico
> (808) 652-3805
> On Feb 20, 2014, at 12:52 AM, Michael Coates <michael.coates at owasp.org>
> We should certainly convene then on our sponsorship practices. If people
> are playing by the rules then we should be fine. If they aren't playing by
> the rules then we can point to the rules. If the rules are wrong, we
> shouldn't blame anyone - we should just change the rules.
> Michael Coates
> On Wed, Feb 19, 2014 at 2:40 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> Here is my preferred OWASP philosophy.
>> Postels principle: Be conservative in what you do, but be liberal in what
>> you take from others.
>> Translating that to OWASP, I'd like how OWASP presents itself outward be
>> very clean in branding and project quality definition similar to the Apache
>> model. We are already moving in that direction with changes made in the
>> last year.
>> But I think we should be more tolerant of how others discuss OWASP
>> external to our organization.
>> Vendor neutrality is the core of why OWASP is so valuable to the
>> If we really want to focus on propping up the Application Security
>> industry, then we should change status away from a open-source charity and
>> instead be a non-profit trade association.
>> No, a project is not only on the wiki. That is just todays reality. We
>> failed to build a real project infrastructure (for software projects) and
>> instead depend on Google Code, github and other places outside of OWASP
>> with minimal OWASP branding. But I think we should continue to enforce at
>> least some branding standards here. The wiki provides history and
>> accountability that external tools do not.
>> > 2. Can a company push forward with an owasp project and promote that
>> project on their website too?
>> Only if out project branding and sponsorship standards are followed. This
>> is a bad path to go down because it will break all the work that was done
>> to build a new sponsorship model.
>> > 3. Do questions 1 and 2 matter provided the company/person acts per our
>> brand usage
>> The moment someone starts hosting major aspects of a project on a
>> commercial website, the mixed branding breaks our new sponsorship model.
>> I'm not a fan. We are paying a lot for the staff. Perhaps if we get better
>> funding we can hire more technical resources to build real project
>> infrastructure so external hosting is not necessary.
>> Last, for technical projects where someone is really working hard on a
>> valuable project, we could be more lenient.
>> For marketing endeavors where someone is sort of a spokesperson or
>> setting a standard for the organization (podcast, top 10, etc) I think more
>> OWASP centric branding is necessary.
>> Sonotype and the trusted software alliance are both for profit companies.
>> Mark does not post on the OWASP blog and makes money that goes in his
>> pocket because he advertises Sonotype on our OWASP podcast and posts
>> updates on his commercial website. I spent years being super clean in the
>> podcast representing OWASP with honor at my own expense. I could have
>> monetized it in many ways but I did not. To see someone take the work that
>> I did and immediately "cash in" for their personal profit is absolutely
>> upsetting and against everything we stand for as a vendor neutral charity.
>> I used to end the podcast with the OWASP mission statement and a call for
>> those to volunteer and donate. Now it ends with a damn advertisement that a
>> non-OWASP commercial entity makes money from. Fuck. That.
>> Jim Manico
>> (808) 652-3805
>> On Feb 19, 2014, at 11:15 PM, Michael Coates <michael.coates at owasp.org>
>> I'd like to understand everyone's thoughts on promotion of OWASP from
>> other entities - specifically those that are either corporations, private
>> entities and generally companies with different motives then us and a
>> More specifically, what expectations to do you feel should be placed on a
>> company that wants to promote an owasp project or contribute time and
>> resources to the betterment of owasp that of course also benefit themselves
>> too (e.g. being a good person has tangential benefits for the person and
>> those associated with the person)?
>> A few questions for consideration
>> 1. Does an owasp project or initiative need to live only on the owasp
>> 2. Can a company push forward with an owasp project and promote that
>> project on their website too?
>> 3. Do questions 1 and 2 matter provided the company/person acts per our
>> brand usage
>> I certainly have my opinions but want to open up the discussion.
>> I ask these larger questions because the overall issue is more important.
>> However, we can also later dive into this idea with a concrete example. We
>> have a great scenario where someone is funded by a company to do things
>> that benefit OWASP - the podcast series. If we have concerns about any
>> aspect of that situation, I'd like to understand them in the overall
>> context of how we encourage company participation.
>> Also, if our expectations don't match our stated guidance we need to
>> quickly update our guidance. It's hard for us to expect people to follow
>> rules if we don't publish them :)
>> Michael Coates
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
Dennis Groves <http://about.me/dennis.groves>, MSc
Email me, <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
*This email is licensed under a CC BY-ND 3.0
Stand up for your freedom to install free
Please do not send me Microsoft Office/Apple iWork documents.
Send OpenDocument <http://fsf.org/campaigns/opendocument/> instead!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board